Censinet, KLAS Research, and American Hospital Association Publish Results of Industry’s First Healthcare Cybersecurity Benchmarking Study


Sponsored by Leading Health Systems, Landmark Study Sets New Standard for Cybersecurity Coverage, Maturity and Resiliency in Healthcare; Next Study Wave Now Open for Participation

Censinet, the leading provider of healthcare risk management solutions, announced today the release of results from the first wave of the Healthcare Cybersecurity Benchmarking Study. Co-led by KLAS Research and the American Hospital Association (AHA), and sponsored by leading health systems, the Study establishes collaborative, trusted, and actionable peer benchmarks to help all U.S. hospitals and health systems strengthen their cybersecurity program coverage, maturity, and resiliency. Full analysis and results from the Study are available exclusively to participants, while the Executive Summary whitepaper from the Study is available publicly here.

“Censinet is proud to present results from the industry’s first Healthcare Cybersecurity Benchmarking Study, and we thank KLAS Research, AHA, our provider sponsors, and study participants for their dedication, collaboration, and insight,” said Ed Gaudet, CEO and Founder of Censinet. “This Study is a testament to the power of community response to bad actors that seek to threaten patient safety every day, further affirming our ‘Stronger Together’ shared vision across healthcare.”

“KLAS Research is proud to have worked with Censinet and the American Hospital Association to publish this whitepaper as well as the full Healthcare Cybersecurity Benchmarking Study analysis and results,” said Adam Gale, Chief Executive Officer at KLAS Research. “This landmark initiative represents a giant leap forward to shine a light on the state of cybersecurity in the industry and, at the same time, to help elevate cybersecurity resiliency and maturity across all organizations.”

The Healthcare Cybersecurity Benchmarking Study establishes peer benchmarks across a combination of key organizational metrics, NIST Cybersecurity Framework (CSF), and HHS 405(d) Health Industry Cybersecurity Practices (HICP) – ensuring comprehensive visibility and peer comparison into cybersecurity maturity and performance. Conducted across November 2022 to March 2023, the first wave of the Study includes 48 healthcare delivery organizations, and is by co-sponsored by 8 leading health systems, including: Intermountain Health, Mass General Brigham, Cedars-Sinai, Marshfield Clinic Health System, Fairview Health Services, Baptist Health, Hartford HealthCare, and Dayton Children’s. The Company is currently enrolling participants for the next wave of the Study.

Key findings in the Executive Summary whitepaper from the Study include:

  • Healthcare cybersecurity is better positioned to be reactive rather than proactive as Identify ranks lowest in coverage among all five NIST CSF Functions.

  • Supply Chain Risk is still highly pervasive, ranking lowest in coverage across all 23 NIST CSF Categories.

  • Higher third-party risk assessment coverage is positively correlated with lower annual growth in cyber insurance premiums.

  • While Email Protections are largely in place, Medical Device Security still lags behind, ranking lowest in coverage across all ten HICP Practice areas.

  • Higher CISO program ownership is positively correlated with higher HICP Practice coverage for Medical Device Security and Network Management.

“The Healthcare Cybersecurity Benchmarking Study initiative provides critical intelligence to help guide our fight against those who directly threaten hospital operations and patient care,” said John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association. “Peer benchmarking delivers immediate, actionable insights into cybersecurity performance and provides a targeted roadmap for improvement, driving much-needed investment in cyber resiliency across our entire field.”

Data and analysis from The Healthcare Cybersecurity Benchmarking Study serves as one of the primary inputs into the Hospital Cyber Resiliency Initiative Landscape Analysis, a recently published report published by the U.S. Department of Health and Human Services 405(d) Program focusing on the cybersecurity resiliency of participating U.S. hospitals and health systems benchmarked against best practice guidelines such as HICP and NIST CSF.

“As patient safety is put at risk by an increasingly-malicious threat landscape, U.S. hospitals and health systems must stay ahead of bad actors the best they can,” said Erik Decker, VP and Chief Information Security Officer at Intermountain Health and chair of the Health Sector Coordinating Council’s Cybersecurity Working Group. “Drawn from the unique insights in the Healthcare Cybersecurity Benchmarking Study, the Landscape Analysis is a significant asset for healthcare organizations – especially those under-served – to make the right investment decisions to bolster their cybersecurity maturity and resiliency for the long run.”

To inquire about participating in the next wave of the Benchmarking Study, please contact Cormac Miller, President and Chief Commercial Officer at Censinet, at cmiller@censinet.com.